Social Implications of a Computerized Society Computer Crime

  • Slides: 37
Download presentation
Social Implications of a Computerized Society Computer Crime Chapter 5 Instructor: Oliver Schulte Simon

Social Implications of a Computerized Society Computer Crime Chapter 5 Instructor: Oliver Schulte Simon Fraser University

What We Will Cover • Hacking • Identity Theft • Crime Fighting Versus Privacy

What We Will Cover • Hacking • Identity Theft • Crime Fighting Versus Privacy and Civil Liberties • Security technologies

Themes in Computer Crime • We’re going to review some general themes from this

Themes in Computer Crime • We’re going to review some general themes from this course as they apply to computer crime issues. – Anonymity – Security/Surveillance/Interception – Responsibility of Web Technology Providers

Anonymity and Cybercrime Anonymity facilitates cybercrime compared to the “real” world. • Anonymity requires

Anonymity and Cybercrime Anonymity facilitates cybercrime compared to the “real” world. • Anonymity requires identification for legitimate purchases Identity theft makes it easy to impersonate someone. • Anonymity makes it easier to get away with fraud and deception. – E-bay scams. – Phishing – Click Fraud. • Anonymity facilitates hacking as trespassing (use other people’s computer, username).

Security/Surveillance/Intercept ion • Much personal information is stored or transmitted on the web insecurely.

Security/Surveillance/Intercept ion • Much personal information is stored or transmitted on the web insecurely. • “Big Hacker is watching you”. • Also an issue for privacy.

HACKING: PAST AND PRESENT

HACKING: PAST AND PRESENT

Hacking as programming • Hacking – currently defined as gaining illegal or unauthorized access

Hacking as programming • Hacking – currently defined as gaining illegal or unauthorized access to a file, computer, or network • The term has changed over time • Phase 1: early 1960 s to 1970 s – It was a positive term – A "hacker" was a creative programmer who wrote elegant or clever code – A "hack" was an especially clever piece of code

Hacker-programmer: Examples • Reprogram the Wii to play music. • Break copy protection, fast-forward

Hacker-programmer: Examples • Reprogram the Wii to play music. • Break copy protection, fast-forward protection. • Reprogram Iphone to work with networks other than the “official” provider.

Hacking and entering Phase 2: 1970 s to mid 1990 s • Hacking took

Hacking and entering Phase 2: 1970 s to mid 1990 s • Hacking took on negative connotations • Breaking into computers for which the hacker does not have authorized access • Still primarily individuals • Includes the spreading of computer worms and viruses and ‘phone phreaking’ • Companies began using hackers to analyze and improve security (“white-hat” hackers).

Hacking and entering: examples • Phone phreaking: “Legion of Doom” broke into Bell. South

Hacking and entering: examples • Phone phreaking: “Legion of Doom” broke into Bell. South computers. • Pranks, reroute FBI numbers to phone sex lines, free long-distance calls. • German hacker breaks into Pentagon computers. • Ontario hackers send fake e-mails from Ontario premier’s office.

Discussion Question • Is hacking into a computer system always morally wrong? If so,

Discussion Question • Is hacking into a computer system always morally wrong? If so, why? If not, when is it wrong and when isn’t it?

Is Hacking Trespass? • Rights-based argument: Can you compare hacking to walking into someone

Is Hacking Trespass? • Rights-based argument: Can you compare hacking to walking into someone else’s home? - Physical intrusion. • Or is it more like looking through a window? - gathers information, no intrusion. • Maybe no old category fits---on the web observation does not require physical presence. • The lack of physical presence of an observer/intruder also seems relevant to privacy/surveillance issues--cybersurveillance doesn’t “feel” so intrusive. • Utilitarian argument: monitoring and checking causes a lot of damage. E. g. , Boeing had to spend a lot of money to check that no files were changed.

Hacking and the Web Phase 3: beginning with the mid 1990 s • Changed

Hacking and the Web Phase 3: beginning with the mid 1990 s • Changed the scale of computer crime: #victims, sites, computers attacked • Large scale theft of personal and financial information. • Viruses and worms can be spread rapidly • Political hacking (Hacktivism) surfaced • Denial-of-service (Do. S) attacks used to shut down Web sites

Internet hacking: examples • The Internet Worm 1988, Robert Morris from Cornell. • A

Internet hacking: examples • The Internet Worm 1988, Robert Morris from Cornell. • A worm is a program that copies itself to other computers. • A virus is a malicious program hidden inside a file, program or document (e. g. Word macro). • Mellisa virus (1999): mail copies of itself to 50 e-mail addresses in address book. Infected 1 mill computers. • Love bug (2000): also mailing itself. Infected 80% of U. S. agencies, millions of computers, $10 billion in damages.

Internet hacking: more examples • Denial of Service attack (Do. S). • Overload target

Internet hacking: more examples • Denial of Service attack (Do. S). • Overload target site with 105 requests for web pages. • 15 -year old Canadian aka “mafiaboy” shut down Yahoo, e. Bay, Amazon etc, $1. 7 billion damage. • Estonian government was attacked.

Identity Theft, Spam: Phase 4 • E-commerce has experienced huge growth, estimated around $200

Identity Theft, Spam: Phase 4 • E-commerce has experienced huge growth, estimated around $200 Billion in the U. S. many people send passwords, credit cards on-line. Opportunities for fraud and impersonation: e-bay, Nigerian account scheme. • Emergence of organized cybercrime rings: targets ebusiness by stealing IDs, often international. Phishing, farming, botnets, sniffers. • FTC estimates 8. 3 million victims of identity theft, $15. 6 billion losses.

Cybercrime Tools: Identity Theft • Phishing - e-mail fishing for personal and financial information

Cybercrime Tools: Identity Theft • Phishing - e-mail fishing for personal and financial information disguised as legitimate business e-mail. SFU attack • Pharming - false Web sites that fish for personal and financial information by planting false URLs in Domain Name Servers. • Social Engineering: manipulating people into releasing information that violates security protocols. – used to launch Melissa and ILOVEYOU viruses

Cybercrime Tools: Malware • Already discussed viruses and worms • Trojan Horse: apparently benign

Cybercrime Tools: Malware • Already discussed viruses and worms • Trojan Horse: apparently benign software with malicious component – e. g. send spam to all contacts • Ransomware: encrypts files on computer, demands payment for the key (bitcoin) – 4000 a day in 2016 • Spyware: record user activities • backdoor: software that allows access at a future time

Cybercrime Tools: Botnets • Zombie viruses, botnets: normal computers remotely controlled by distributor. Typically

Cybercrime Tools: Botnets • Zombie viruses, botnets: normal computers remotely controlled by distributor. Typically millions of infected machines. Botnet Article • “A botnet is a controlled army of compromised devices”

Identity Theft: The Target Breach Target Security Breach (Fall 2013) • Data on 40

Identity Theft: The Target Breach Target Security Breach (Fall 2013) • Data on 40 million credit cards stolen • Over 70 million customer records stolen • Started with phishing email sent to Fazio Mechanical – A small company with 200 employees • Target had to compensate consumers

Discussion Question • The Federal Trade Commission (U. S. ) has said that “companies

Discussion Question • The Federal Trade Commission (U. S. ) has said that “companies that collect sensitive consumer information have a responsibility to keep it secure”. • Do you agree with that? How much responsibility do users/customers have? For example, using firewalls, encryption, coded credit cards, strong passwords?

SCAMS AND FORGERIES

SCAMS AND FORGERIES

Ad/Cllick Fraud • Recent major ad fraud case (google post) 1. Make or acquire

Ad/Cllick Fraud • Recent major ad fraud case (google post) 1. Make or acquire a popular Android app 2. Track user behaviour (spyware) 3. Use zombies in botnet to mimic users 4. Send to app bot traffic with real human traffic to escape fraud detection 5. Bots click on ads more money for developers!

Auction Fraud • FTC reports that online auction sites are one of the top

Auction Fraud • FTC reports that online auction sites are one of the top sources of fraud complaints – Some sellers do not send items or send inferior products – Shill bidding is used to artificially raise prices – Sellers give themselves or friends glowing reviews to garner consumer trust • Auction sites use various techniques to counter dishonest sellers.

Discussion Question • Fraud on e-bay has steadily increased. • Does an auction site

Discussion Question • Fraud on e-bay has steadily increased. • Does an auction site like e-bay have an obligation to protect customers from fraud any more than a search engine has an obligation to prevent illegal downloading of copyrighted material? • What about monitoring the sale of illegal goods, like brand name fakes? e-bay case • What about the obligation of Youtube to remove copyrighted material?

Other Examples • Stock fraud - most common method is to buy a stock

Other Examples • Stock fraud - most common method is to buy a stock low, send out e-mails urging others to buy, and then sell when the price goes up, usually only for a short time • Digital Forgery - new technologies (scanners and high quality printers) are used to create fake checks, passports, visas, birth certificates, etc. , with little skill and investment. • Canadian Case: 400 SIN numbers stolen by government employee, $7 m fraud. sin case

FIGHTING CYBERCRIME

FIGHTING CYBERCRIME

Security Technologies • Big business: e-mail security sales $1. 2 bn in 2008. •

Security Technologies • Big business: e-mail security sales $1. 2 bn in 2008. • Firewalls monitor network traffic. • Web browsers check websites for proper authorization. • Biometrics may be a new way to identify yourself. • Public-key encryption: important theoretical tool. • New authentication methods? preference-based identification • Fundamental trade-off: security versus convenience.

Encryption and Biometrics • Public-key encryption: Encryptor makes two keys, one secret, one public.

Encryption and Biometrics • Public-key encryption: Encryptor makes two keys, one secret, one public. With public key, anyone can encrypt, but only encryptor can decrypt. See pdfs from Scientific American. • Biometrics: fingerprint, face, Iris, Voice. • Included in Toshiba Portege M 800 laptop. • Desired false positive/false negative rate: < 0. 1%. • Currently no single technology gets this, maybe we need to use combinations.

Responsibility of Web Providers • E-bay at first: “we are like a newspaper publishing

Responsibility of Web Providers • E-bay at first: “we are like a newspaper publishing classified ads” (common carrier). No responsibility for what people do with our technology. • Now: fraud departments, risk warnings, reputation scores and other systems for combatting fraud. Some responsibility for avoiding fraud. • Is this an ethical obligation or just business sense? • Ethical argument: E-bay is in a better position to check identities and trust-worthiness than regular customers.

System Professionals • Software designers and system administrators should put time and resources into

System Professionals • Software designers and system administrators should put time and resources into system security. • Cybersecurity professionals protect systems and networks. Three broad goals – Confidentiality: keep private data private – Integrity: allow only authorized access – Availability: ensure system and data are accessible when needed

LEGAL PERSPECTIVES

LEGAL PERSPECTIVES

Law Enforcement and Security • Security against unauthorized access no access for law enforcement

Law Enforcement and Security • Security against unauthorized access no access for law enforcement • 1994 CALEA Telecommunications: communications equipment must have backdoor for FBI to eavesdrop • FBI tried to get backdoor for encryption

Examples • Terrorist killed 14 people in San Bernadino • FBI could not unlock

Examples • Terrorist killed 14 people in San Bernadino • FBI could not unlock terrorist’s Iphone. Ø Asked Apple to create IOS version with no limit on login attempts

CFAA • Computer Fraud and Abuse Act • For devices connected to the internet,

CFAA • Computer Fraud and Abuse Act • For devices connected to the internet, makes it illegal to – access without authorization – exceed autorization – in order to read or copy information • Increased penalties for justice/military computers.

Discussion Question • Should it be a crime to write or post computer viruses?

Discussion Question • Should it be a crime to write or post computer viruses?

Conclusion • Hacking: modern connotation: breaking into computers without access

Conclusion • Hacking: modern connotation: breaking into computers without access